u/pc/rhodecode-enterprise-ce-fork-pc Commit - r2101:5e992dcb

sessions: don't use pylons sessions for csrf tokens

marcink -

r2101:5e992dcb default

parent child

rhodecode/lib/auth.py

0 +2 -5

                      meta.Session.remove()
-             def get_csrf_token(session=None, force_new=False, save_if_missing=True):
+             def get_csrf_token(session, force_new=False, save_if_missing=True):
                  """
                  Return the current authentication token, creating one if one doesn't
                  already exist and the save_if_missing flag is present.
                  # NOTE(marcink): probably should be replaced with below one from pyramid 1.9
                  # from pyramid.csrf import get_csrf_token
-                 if not session:
-                     from pylons import session
                  if (csrf_token_key not in session and save_if_missing) or force_new:
                      token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
                      session[csrf_token_key] = token
                      if request.method in self.except_methods:
                          return func(*fargs, **fkwargs)
-                     cur_token = get_csrf_token(save_if_missing=False)
+                     cur_token = get_csrf_token(request.session, save_if_missing=False)
                      if self.check_csrf(request, cur_token):
                          if request.POST.get(self.token):
                              del request.POST[self.token]

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages